Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software.
When a device is infected by malware program the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware. Furthermore, even if a malware infection does not cause a perceptible change in the performance of a device, it may be performing other malicious functions such as monitoring and stealing potentially valuable commercial, personal and/or financial information, or hijacking a device so that it may be exploited for some illegitimate purpose.
Many end users make use of anti-virus software to detect and possibly remove malware. However, in order to hide the presence of malware from end users and to evade detection by anti-virus software, malware authors try to hide their malware by designing it to mask or disguise itself as legitimate processes running on the computer. The malware achieves this by injecting its executable code into another process running on the computer, the target process then blindly executes this malware code effectively concealing the source of the malicious behaviour.
Computers are particularly vulnerable to such actions during the moments early in the start-up procedures and late in the shutdown procedures, as usually neither the user nor any anti-virus software are operating during these periods. Some malware programs are therefore designed to run as early as possible during the start-up procedures of the computer. They can then inject themselves into one of the running processes that have been loaded onto the computer's RAM, before removing almost all references and traces of the malware from system, such as the original start-up files on the hard disk and any launch point (usually, an entry in the registry) that caused the start-up files to run automatically, keeping only the run-time code inside of target process. This makes it more difficult to detect and remove such malware programs once the anti-virus software is active.
Typically, the shutdown of a computer system causes all services, including those provided by anti-virus software, to stop any activity. However, there is still a short period during which the malware can set itself to run once the computer is rebooted. As such, these malware programs are further designed to re-write themselves onto the hard disk and re-create their launch points to ensure that they will run the next time the computer is started.
An example of a malware program that is designed in this way is the Bandok (aka BackDoor-CSN, Bandook) trojan, which creates a RunOnce registry key in the registry as its launch point. When executed, this trojan injects its code into other running processes, such as explorer.exe, and the targeted process then executes this code creating a watchdog thread. The RunOnce registry key is then automatically removed by Windows™ after execution of the Trojan, and the malware program file is removed from the hard disk. When the computer system is subsequently shutdown, the malware restores the RunOnce registry key and recreates its start-up file on the hard disk from the memory of the target process (i.e. explorer.exe). This process of writing into the registry and onto the hard disk occurs during the shutdown of the infected computer system, when most anti-virus monitoring has been deactivated. As such, the malware can successfully re-establish itself to be executed during the next system restart.
The Brontok worm also displays similar behaviour. This malware program is designed to cause an infected computer system to reboot each time it notices an attempt to remove it, either manually or by anti-virus software. In doing so, this malware program relies on the fact that the protection provided by anti-virus will usually stop as soon as shutdown of the computer system is initiated. As such, rebooting is used by this malware as a way to disable the anti-virus software, whilst still providing enough time for the malware to re-create any components that it requires to ensure that it is run when the system restarts.
FIG. 1 is a flow diagram further illustrating the process implemented by malware that attempts to hide its presence in this way. The steps performed are as follows:                A1. Start-up of an infected computer system is initiated (i.e. either by the user or as part of a re-start procedure).        A2. A launch point installed by the malware causes the malware program/executable file installed on the hard disk to be run.        A3. The malware then injects its run-time code into a legitimate running process, deletes its start-up executable files from the hard disk, and deletes its launch point.        A4. Any anti-virus program that is installed on the computer is then activated.        A5. During the running of the computer system the anti-virus fails to detect the presence of the malware infection as it is well hidden within the legitimate running processes, and both its image on the hard disk and its launch point have been deleted.        A6. Shutdown of the computer system is then initiated, and the anti-virus program is deactivated.        A7. The malware run-time code within the running processes is aware that shutdown has been initiated, and therefore re-creates its launch point and restores its start-up code on to the hard disk, ready to be run once the computer is re-started.        A8. The computer system then shuts down.        